Security & privacy
Health records of 83,000 lost in
OSHAWA, Ont. – Ontario’s privacy
commissioner has launched an investigation after a USB drive containing
the personal health information of more than 83,000 people, who went to
flu clinics in Durham Region just northeast of Toronto, went missing.
The USB key contained the personal information of persons who attended a
Durham Region Health Department flu vaccination clinic for either an
H1N1 or seasonal flu shot between Oct. 23 and Dec. 15.
Commission spokesman Bob Spence said the probe will try to determine
what happened and what steps might be taken to prevent a similar
incident from occurring.
A health department nurse was taking a USB key containing the records to
her car in Whitby, Ont., for use at a remote clinic site on Dec. 15 when
the device was lost. A search failed to turn it up.
“We believe it was lost on regional property. We have some video
surveillance tape to indicate that was the case,” said Dr. Robert Kyle,
chief medical officer of health for Durham Region.
Kyle said the USB key disappeared on Durham Region headquarters property
and includes the names, addresses, phone numbers, dates of birth, health
card numbers and the names of primary physicians for 83,524 people who
visited flu clinics for a seasonal or H1N1 shot between Oct. 23 - Dec.
The missing device also included health information such as a patient’s
allergies and chronic medical conditions but that information would not
be discernable, he said.
“We have absolutely no evidence nor any belief that it was deliberately
stolen,” Dr. Kyle said, adding surveillance video shows the USB being
placed on a rock on the property after it was lost by the nurse. “The
only conclusion we can reach is it was out there in the open, somebody
saw it, they picked it up and carried it away.”
University of Ottawa professor Khaled El Emam, an expert in eHealth
privacy, said the data loss doesn’t bode well for the public’s
perception of how their personal information is being secured.
“You can never prevent human error,” El Emam said. “However, you can put
in place mechanisms, policies and procedures to minimize the probability
of it happening.
“If you are going to hold data on a USB stick you definitely want to
have that encrypted,” he said.
In 2007, Ontario Privacy Commissioner Ann Cavoukian ordered Toronto’s
Hospital for Sick Children to encrypt any personal data taken out of the
hospital on a laptop or other mobile computing device.
The order came after a laptop containing the personal health information
of 2,900 patients was stolen from the car of a researcher.
At the time, the commissioner provided guidelines to all healthcare
professionals working with patient information, saying, “at a minimum,
files or folders containing personal health information must be
encrypted,” if they are stored on mobile devices in an identifiable
“There is no excuse for unauthorized access to personal health
information (PHI) due to the theft or loss of a mobile computing device
- any PHI contained therein must be encrypted,” Cavoukian said in her
Health officials in Durham have apologized for the security lapse and
said a notification letter will be sent to anyone who attended the flu
Posted Jan. 28, 2010